Sunday, September 28. 2008

Good news from work. A new version of BinNavi, the graph-based reverse engineering software I've been working on for the last few months, is supposed to be released in mid-October. We sent out Beta versions of BinNavi to a few select customers about two weeks ago and this week we are going to send all of them a second beta version that includes many of the improvements they suggested.

BinNavi 2.0 introduces many cool new features. There is a completely new GUI which makes it easier to work with disassembled files stored in BinNavi databases. All disassembled files in BinNavi databases can now be accessed from the main window. Different files can be combined into projects that can be used to analyze and debug multiple disassembled files and the interaction between them. Think of having one EXE file and multiple DLL files in one project for example.

Click here to see a screenshot of the new main window. You can see eight disassembled files (Modules) and one project that combines notepad.exe with a few imported DLL files.

Other features were added to improve the ease of navigation through disassembled files. BinNavi 2.0 supports tabbed graph-windows that work kind of like tabs in web browsers. An improved Proximity Browsing mode is available that can be used to hide all blocks of a graph except those in the immediate neighbourhood of the blocks currently analyzed by the user. Functions and graph nodes can be tagged with arbitrary tags. We reintroduced the pathfinding feature that was present in BinNavi 1.2 but missing in BinNavi 1.5. Using pathfinding you can find all possible paths between two arbitrary basic blocks of the disassembled file. This is pretty useful for control flow analysis.

Click here to see a screenshot of the new graph window. Four functions are open and in the visible function ("start") you can see a few basic blocks tagged with the tag "Library Code".

Click here to see a screenshot of the graph window in Proximity Browsing mode. You can see two blocks at the top of the window which both have two incoming edges. The nodes from where the edges come are hidden. They can be made visible by either clicking on the round Proximity Browsing nodes or by selecting one of the two top nodes.

Pathfinding in BinNavi 2.0 is implemented as a plugin and comes shipped with full source code which brings me to the next point.

BinNavi 2.0 is the first version of BinNavi to contain a comprehensive plugin and scripting API. Thanks to some dozen interfaces and classes exposed by the plugin API, nearly all aspects of BinNavi can be accessed or even modified using scripts written in Java, Python, Ruby, and ECMAScript. Users of BinNavi 2.0 can implement their own analysis algorithms in a plugin and integrate access to the plugin in the BinNavi GUI. Of course BinNavi 2.0 still provides the console-style scripting window where users can enter their own Python or Ruby scripts on the fly.

An important part of the plugin/scripting API is the integration of REIL. REIL is our platform-independent Reverse Engineering Intermediate Language that makes it easy to write platform-independent code analysis algorithms. Using the BinNavi API it is possible to translate real assembler code into REIL code which is structurally simpler than real code. The REIL instruction set contains less than 20 different instruction which all have just a single effect on the output value they operate on. This makes the analysis of REIL code very straight-forward. REIL was first proven to work well when I wrote my Master Thesis last year (titled 'Type-Reconstruction of x86 Assembly'). I implemented a REIL-based type-reconstruction algorithm for x86 code which will be part of BinNavi in the future. With version 2.0 we are finally able to start to add our REIL-based algorithms to BinNavi.

Click here to see a screenshot of the scripting console. You can see a few Python lines that translate the code of the open graph to REIL code.

There are a few other smaller yet still cool new features in BinNavi 2.0.

BinNavi stores disassembled files in SQL databases and even though our database format was always open to the public (see Ero's blog post for example), starting with version 2.0 we are going actively document the database format and how to use it. This means that people can write their own reverse engineering tools to use with BinNavi databases.

The language of the BinNavi GUI can now be changed. Even though BinNavi 2.0 only offers English and German as GUI languages we are planning to offer more languages in the future to allow users of BinNavi to work in their native languages.

There is a pretty cool new dialog that can be used to select nodes of a graph according to arbitrary criteria. Using this dialog you can build complex logical expressions like "select all nodes that contain a reference to the register 'eax' and have two or more outgoing edges". This makes it very easy to select subsets of large graphs.